Skip to content

You find CloudTrail (control-plane audit logging) is disabled in a production account. Why does it matter and what do you do?

Short answer

Without control-plane audit logs you're blind to who did what at the cloud layer, and detection, forensics, and compliance all depend on that record. Enable CloudTrail immediately, org-wide, delivering to a separate, access-controlled, tamper-resistant (immutable) bucket. Saying it doesn't matter while nothing is wrong ignores that you'd have no history when something does go wrong. Waiting until an incident means the formative early actions are already unlogged and unrecoverable. Application logs don't capture API, IAM, or console activity at the control plane.

Audit logging is the foundation everything else stands on. The interviewer wants to hear that you treat missing control-plane logs as an active risk — because the cost of not having them is only ever paid in the middle of an incident, when it's too late to fix.

Why it matters

CloudTrail records control-plane API activity: who called what, from where, when — IAM changes, console logins, resource creation and deletion, policy edits. Without it you have no record of account activity. Detection rules have nothing to fire on, an incident responder has no timeline to reconstruct, and compliance frameworks that require an audit trail are unmet. Application logs operate one layer up; they say nothing about API calls, IAM, or console actions at the cloud control plane.

What you do

Enable CloudTrail now, org-wide (so every current and future account is covered by default), delivering to a separate, access-controlled, immutable destination — ideally a dedicated logging account with S3 Object Lock / log file validation so even an admin (or attacker) in the production account can't quietly delete or tamper with the history.

Why the distractors are wrong

  • "Doesn't matter while nothing is wrong." The whole point of audit logs is to have the history before something goes wrong. By the time you need them, you can't retroactively create them.
  • Enable only after an incident. The earliest, most diagnostic actions of an incident — the initial access, the privilege escalation — happen before you'd flip it on. You'd be investigating with a blank tape for the part that matters most.
  • Rely on application logs. Useful, but a different layer. They don't capture API, IAM, or control-plane activity, so they can't tell you who created a rogue user or disabled a security control.

What interviewers look for

Treating it as urgent, enabling org-wide coverage, and protecting the trail's integrity (separate account, immutable storage, log validation). Strong candidates note that attackers commonly try to disable logging, so an alarm on StopLogging/DeleteTrail is itself a key detection.

Likely follow-ups

  • Why does the trail need to go to a separate account or immutable bucket rather than the same account?
  • What classes of activity does CloudTrail capture that application logs never will?
  • If an attacker disabled the trail, how would you even know, and how do you prevent that?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.